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IN THE CLAIMS: 

1-26. (CANCELLED) 

27. (NEW) A method comprising; 

executing an application on a network device, the application having a plurality of 
modules each associated with one or more layers of a hierarchy of communication proto- 
cols; 

storing, in a memory space associated with the application, a connection data 
structure, the connection data structure storing together data for the plurality of modules 
of the application for a connection maintained by the network device; 

forming a unique connection identifier for the connection; 

independently checkpointing portions of the connection data structure for differ- 
ent modules into a memory space associated with a checkpoint server, the portions of the 
connection data structure each being embedded with the unique connection identifier and 
stored separately in the memory space associated with the checkpoint server; and 

in response to a restart or failure of the application executing on the network de- 
vice, restoring the connection data structure in the memory space associated with the ap- 
plication, by retrieving the separately stored portions of the connection data structure for 
at least some of the different modules from the memory space associated with a check- 
point server and combining them to reform the connection data structure in the memory 
space associated with the application. 

28. (NEW) The method of claim 27, wherein the independently checkpointing comprises: 

determining for each module of the plurality of modules when the module re- 
quires a checkpoint of the module's portion of the connection data structure; and 



2 



PATENTS 
112025-0801 



in response to the determining a particular module requires a checkpoint, check- 
pointing the particular module's portion of the connection data structure into the memory 
space associated with the checkpoint server. 

29. (NEW) The method of claim 27, wherein the independently checkpointing comprises: 

determining there has been a state change of the connection; 

and 

in response to the state change, checkpointing at least one particular module's 
portion of the connection data structure into the memory space associated with the check- 
point server. 

30. (NEW) The method of claim 27, wherein the independently checkpointing is per- 
formed individually by each module, such that each module checkpoints its own portion 
of the connection data structure, and the retrieving is performed individually by each 
module, such that each module retrieves its own portion of the connection data structure. 

31. (NEW) The method of claim 27, wherein the application is a firewall application and 
the plurality of modules are modules within the firewall application. 

32. (NEW) The method of claim 27, wherein the forming a unique connection identifier 
for the connection comprises: 

combining a source address and a destination address of a packet associated with 
the connection. 

33. (NEW) The method of claim 27, wherein the plurality of modules include at least a 
module associated with Transmission Control Protocol (TCP), User Datagram Protocol 
(UDP), or File Transfer Protocol (FTP). 
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34. (NEW) The method of claim 27 wherein a separate connection data structure is main- 
tained for each connection of a plurality of connections maintained by the network de- 
vice. 

35. (NEW) The method of claim 27, further comprising: 

executing the checkpoint server on the network device along with the application, 
and wherein the memory space associated with the checkpoint server is memory space 
provided by the network device separate from the memory space associated with the ap- 
plication. 

36. (NEW) The method of claim 27, further comprising: 

executing the checkpoint server on a device other than the network device execut- 
ing the application. 

37. (NEW) An apparatus comprising: 

a microprocessor configured to execute an application and a checkpoint server, 
the application having a plurality of modules each associated with one or more layers of a 
hierarchy of communication protocols; 

a memory having a memory space associated with the application and having a 
separate memory space associated with the checkpoint server; and 

the microprocessor further configured to execute instructions to store a connection 
data structure that holds together data for the plurality of modules of the application re- 
lated to a particular connection maintained by the apparatus, to form a unique connection 
identifier for the connection, to independently checkpoint portions of the connection data 
structure for different modules into the memory space associated with the checkpoint 
server where the portions are each embed with the unique connection identifier yet stored 
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separately, and to restore, in response to a restart or failure of the application, the connec- 
tion data structure into the memory space associated with the application, by retrieval of 
the separately stored portions of the connection data structure for at least some of the dif- 
ferent modules from the memory space associated with a checkpoint server and reassem- 
bly of the portions to reform the connection data structure in the memory space associ- 
ated with the application. 

38. (NEW) The apparatus of claim 37, wherein the instructions to independently check- 
point comprise instructions to determine for each module of the plurality of modules 
when the module requires a checkpoint of the module's portion of the connection data 
structure and to, in response to determination a particular module requires a checkpoint, 
checkpoint the particular module's portion of the connection data structure into the mem- 
ory space associated with the checkpoint server. 

39. (NEW) The apparatus of claim 37, wherein the instructions to independently check- 
point comprise instructions to determine there has been a state change of the connection, 
and to, in response to the state change, checkpoint at least one particular module's portion 
of the connection data structure into the memory space associated with a checkpoint 
server. 

40. (NEW) The apparatus of claim 37, wherein the application is a firewall application 
and the plurality of modules are modules within the firewall application. 

41. (NEW) The apparatus of claim 37 wherein the instructions to form the unique con- 
nection identifier for the connection comprise instructions to combine a source address 
and a destination address of a packet associated with the connection. 
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42. (NEW) The apparatus of claim 37 wherein the plurality of modules include at least a 
module associated with Transmission Control Protocol (TCP), User Datagram Protocol 
(UDP), or File Transfer Protocol (FTP). 

43. (NEW) The apparatus of claim 37 wherein a separate connection data structure is 
maintained for each connection of a plurality of connections maintained by the apparatus. 

44. (NEW) A system comprising; 

a network device configured to execute an application, the application having a 
plurality of modules each associated with one or more layers of a hierarchy of communi- 
cation protocols, the network device further configured to store in a memory space asso- 
ciated with the application a connection data structure, the connection data structure 
maintaining together data for the plurality of modules of the application for a connection 
maintained by the network device, the network device further configured to independ- 
ently checkpoint portions of the connection data structure for different modules; and 

a checkpoint server configured to store in an associate memory space the inde- 
pendently checkpointed portions of the connection data structure, the portions of the con- 
nection data structure each being embedded with a unique connection identifier associ- 
ated with the connection and stored separately in the memory space associated with the 
checkpoint server, the checkpoint server configured to, in response to a restart or failure 
of the application executing on the network device, restore at least a part of the connec- 
tion data structure to the memory space associated with the application, by retrieval of the 
separately- stored portions of the connection data structure for at least some of the differ- 
ent modules from the memory space associated with a checkpoint server and reassembly 
of the portions to reform the at least a part of the connection data structure in the memory 
space associated with the application. 



6 



PATENTS 
112025-0801 



45. (NEW) The system of claim 55, wherein the checkpoint server is further configured 
to determine for each module of the plurality of modules when the module requires a 
checkpoint of the module's portion of the connection data structure, and to, in response to 
determination that a particular module requires a checkpoint, checkpoint the particular 
module's portion of the connection data structure into the memory space associated with 
the checkpoint server. 

46. (NEW) The system of claim 55, wherein the checkpoint server is further configured 
to determine there has been a state change of the connection, and in response to the state 
change, checkpoint at least one particular module's portion of the connection data struc- 
ture into the memory space associated with the checkpoint server. 
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